Blog

Whole Foods Market Investigates Hack Attack

Upscale supermarket chain Whole Foods Market says it's investigating an apparent payment card data breach that affects facilities located in some of its stores, although none of its checkout lanes.

"Whole Foods Market recently received information regarding unauthorized access of payment card information used at certain venues such as taprooms and full table-service restaurants located within some stores," the supermarket chain says in a Thursday statement. "These venues use a different point-of-sale system than the company's primary store checkout systems, and payment cards used at the primary store checkout systems were not affected."

Based in Austin, Texas, Whole Foods has 449 stores in the United States, making it the ninth largest U.S. food retailer by sales volume. It has more than 87,000 employees, 13 stores in Canada and nine in the United Kingdom, and had $15.7 billion in sales in 2016.

Whole Foods could not be immediately reached for comment about how many of its supermarkets have restaurants, but it reportedly has more than 40 taprooms, or bar areas.

Whole Foods has not described how or when it learned of the breach, or if payment cards handled outside the United States might have been affected. But it says in it statement that when it learned of the breach, "the company launched an investigation, obtained the help of a leading cybersecurity forensics firm, contacted law enforcement and is taking appropriate measures to address the issue."

Amazon.com Subsidiary

In June, in a move that shocked the $800 billion supermarket industry, Amazon.com announced that it would be buying Whole Foods. The deal, finalized in August for $13.7 billion, now pits Amazon.com directly against such supermarket giants as Wal-Mart Stores, Kroger and Costco Wholesale.

Whole Foods says its breach does not affect any Amazon systems. "The Amazon.com systems do not connect to these systems at Whole Foods Market," it says. "Transactions on Amazon.com have not been impacted."

Payment Card Breach Epidemic Continues

The Whole Foods breach is the latest in a long line of hack attacks that have targeted organizations that collect payment card data, especially including numerous hotels and restaurants (see Trump Hotels Suffers Another Payment Card Breach).

Just this week, for example, fast-food chain Sonic Drive-In said it was investigating an apparent payment card data breach affecting an unspecified number of its 3,500 franchises across the United States.

While some attacks target third-party POS service providers, the payment card data breach epidemic is being compounded by too many organizations failing to prepare for breaches by segmenting their networks, ensuring that POS devices do not have default settings, or putting in place proper detection and response capabilities, according to Verizon's 2017 Data Breach Investigations Report.

Apparent Network Segmentation

Security experts say that the apparent inability of Whole Foods' hackers to jump from point-of-sale systems in its taprooms and restaurants to other systems running under the same roof - such as POS terminals in grocery checkout aisles and building climate controls - suggests that Whole Foods Market was running segmented networks.

Segmentation has long been highlighted by security experts as being a best practice to help organizations limit the damage they face in the event that they get breached (see 5 Secrets to Security Success).

But the restaurant and taproom systems at Whole Foods may have been outsourced to a separate, third-party provider and managed using entirely separate resources.